This packages creates an AWS Bastion configured for Tailscale. This covers steps 1,2 & 4 of the Tailscale RDS guide.
You may find this package useful if you need high performance access to internal resources (ie RDS) without the overhead & limitations of Session Manager.
npm i cdk-tailscale-bastion -D
The Tailscale Auth key should be passed in via parameter store or secrets manager and NOT hardcoded in your application.
import { TailscaleBastion } from 'cdk-tailscale-bastion';
// Secrets Manager
const secret = Secret.fromSecretNameV2(stack, 'ApiSecrets', 'tailscale').secretValueFromJson('AUTH_KEY');
// Systems Manager Parameter Store
const altSecret = SecretValue.ssmSecure('/tsauth');
new TailscaleBastion(stack, 'Sample-Bastion', {
vpc,
tailScaleAuthKey: secret,
});Whatever resource you intend to reach should permit connections from the bastion on the relevant port, naturally.
I recommend generating an Ephemeral key that includes the bastion as a tag for ease of teardown and tracking:
Once deployed, unless you have auto approval enabled, you'll need to manually enable the subnet routes in the tailscale console.
You'll also need to setup the nameserver. The bastion construct conveniently outputs the settings you require for Tailscale's DNS configuration:
Given your configuration is correct, a direct connection to your internal resources should now be possible.
